cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5316
Views
8
Helpful
23
Replies

Cisco 881 loses NAT NVI mappings after reload

joenyland
Level 1
Level 1

I've just purchased a new Cisco 881.

I'm using NAT NVI for my inbound static mappings. However, regardless of the fact that the config is saved to nvram, after a reload of the router, the NAT mappings are setup as traditional inside/outside mappings. This means that inbound connections in to the router on the required services fail, until someone logs on to the router and re-applies the NVI mappings.

Why would this be happening?

Here's a sanitised version of my startup-config:

!

! Last configuration change at 20:20:15 UTC Tue Dec 11 2012 by xxx

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxx

!

boot-start-marker

boot-end-marker

!

!

enable secret 4 xxxx

!

aaa new-model

!

!

aaa authentication login local_auth local

!

!

!

!

!

aaa session-id common

!

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-xxx

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-xxx

revocation-check none

rsakeypair TP-self-signed-xxx

!

!

crypto pki certificate chain TP-self-signed-xxx

certificate self-signed 01

  xxx

            quit

ip gratuitous-arps

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

!

!

ip domain list dmz.xxx.local

ip domain list xxx.local

ip domain name dmz.xxx.local

ip name-server 192.168.1.x

ip cef

login block-for 3 attempts 3 within 3

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn xxx

!

!

username admin privilege 15 secret 4 xxx

username joe secret 4 xxx

!

!

!

!

!

ip ssh time-out 60

!

!

!

!

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

switchport access vlan 2

no ip address

!

interface FastEthernet4

ip address dhcp

ip nat enable

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.1.x 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat enable

!

interface Vlan2

ip address 192.168.0.x 255.255.255.0

!

ip forward-protocol nd

ip http server

ip http access-class 1

ip http authentication local

ip http secure-server

!

!

ip nat source list 1 interface FastEthernet4 overload

ip nat source list 2 interface FastEthernet4 overload

ip nat source static tcp 192.168.1.2 993 interface FastEthernet4 993

ip nat source static tcp 192.168.1.2 80 interface FastEthernet4 80

ip nat source static tcp 192.168.1.2 443 interface FastEthernet4 443

ip nat source static tcp 192.168.1.2 25 interface FastEthernet4 25

ip nat source static tcp 192.168.1.2 587 interface FastEthernet4 587

ip nat source static tcp 192.168.1.2 143 interface FastEthernet4 143

ip nat source static tcp 192.168.1.2 1723 interface FastEthernet4 1723

!

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 permit 192.168.1.0 0.0.0.255

!

!

!

!

control-plane

!

!

banner motd

Authorized Access only

!

line con 0

exec-timeout 15 0

login authentication local_auth

line aux 0

exec-timeout 15 0

login authentication local_auth

line vty 0 4

access-class 2 in

login authentication local_auth

length 0

transport input all

!

!

end

I'd appreciate any suggestions as to how I can stop this from happening.

Thanks.

23 Replies 23

I've been working with TAC for 2 days now. Still no luck. They said that NVI translation is only for VRF to VRF, not for use in global, so it's not supported that way. In other words, they won't look into the bug. So I put everything into VRFs, but now I'm having issues with the static port-based NAT statements. If you use an interface-based one like we have here, you can't specify a VRF in the command.

It's getting kind of ridiculous.

Wish I could help with that one but I've never done anything with VRF. I think I'm going to move off of NVI on my router as it seems to cause some performance issues on NATed traffic.

Elton

Sent from Cisco Technical Support iPhone App

Apparently the issue is related to me using DHCP from my ISP. So when the router reboots, whatever propagates the NAT table doesn't find an outside IP address assigned yet and--BUGGED. TAC was unable to come up with another solution. It doesn't look like it will be fixed any time soon since NVI isn't supported in the global VRF anyway. I found some info here as well: http://tech.jocke.no/2010/09/24/cisco-ios-nat-virtual-interface/.

I'm using the following as a workaround until I can get a static address from my ISP, see this bug fixed, or come up with something else (don't laugh):

event manager applet DHCP_ADDRESS_CHANGE

event syslog pattern "FastEthernet0/1 assigned DHCP address"

action 100 syslog msg "FIXING NVI NAT"

action 125 cli command "enable"

action 150 cli command "config t"

action 200 cli command "ip nat source static tcp 192.168.168.50 8123 interface FastEthernet0/1 8123"

action 201 cli command "ip nat source static tcp 192.168.168.50 80 interface FastEthernet0/1 80"

action 202 cli command "ip nat source static tcp 192.168.168.55 3074 interface FastEthernet0/1 3074"

action 203 cli command "ip nat source static udp 192.168.168.55 3074 interface FastEthernet0/1 3074"

action 204 cli command "ip nat source static udp 192.168.168.55 88 interface FastEthernet0/1 88"

action 205 cli command "ip nat source static tcp 192.168.168.50 25565 interface FastEthernet0/1 25565"

It works 100% of the time, and disgusts me every time. ;-)

Sean

Holy F-ing bug, Batman!

Cisco REALLY, needs to fix this. It's still around!


I had this happen to me across 3 different routers (887, 1841, 2821) where I "upgraded" to using NVI , and the end result is random web services stop working at different points in time whenever that particular router rebooted.

Anyway, I also really like the the NAT hairpinning feature of using NVI, however using NVI also reduces performance. I am curious to know if you ever found out how to perform NAT hairpinning using traditional NAT statements and route-maps as you said in a previous post.

The only other way I can see NAT Hairpinning functioning is with workarounds for this NVI bug:
1. The workaround using a TCL script, like sklic just posted.
2. Placing everything related to the internet interface in a fake_global VRF, because that makes sense to Cisco.

I have this issue also...

 

:/

Elton Babcock
Level 1
Level 1

Thanks for the update Sean.

I moved away for the NVI this weekend and saw a huge speed increase on routed packets.

Using the NVI I was getting around 4.5MBs and after I switched back to traditional NAT I was seeing between 17-20MBs.

Elton

Sent from Cisco Technical Support iPhone App

I would love to do the same, however I'm relying on the hairpin-NAT feature of NVI. I've heard that you can use traditional NAT and hairpin it using loopbacks and route-maps, but I've never seen the actual code.

angelcool
Level 1
Level 1

Same problem here . When I reboot my 1721 the static NVI entries are loaded as tradition NAT entries:

"show ip nat nvi translations" do not displays the entries.

"show ip nat translations" displays the entries.

I use the no version of the commands and reenter them again, and all works fine again.

Why I use NVI? ...because I do not limit myself to only one outside interface. I wrote a small tutorial where NVI is useful, http://www.angelcool.net/tutorials/cisco/WebDevelopmentNetwork_NVI.pdf . Anyhow, my router:

router#
router#show ver
Cisco IOS Software, C1700 Software (C1700-ADVENTERPRISEK9-M), Version 12.4(7), RELEASE SOFTWARE (fc6)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 01-Mar-06 08:15 by alnguyen

ROM: System Bootstrap, Version 12.2(7r)XM5, RELEASE SOFTWARE (fc1)

router uptime is 5 hours, 37 minutes
System returned to ROM by reload
System image file is "flash:c1700-adventerprisek9-mz.124-7.bin"

Hi, I based myself on sklic's code to read and re-enter the existing configuration as soon the network interface state changes. This is an EEM script, so you have to copy it and "install" it in your router.

It's almost as if it's a patch to the bug. You just have to configure the phrase to trigger the script from the Cisco syslog. This phrase is what your router prints when you want the NAT statements to be re-entered.

With this script enabled and configured, "port forwarding" configured using the ip nat enable command will work across reboots and interface flapping.

You can tell this is happening to you if you have ip nat source static ... statements visibile in the output of show ip nat translations.

 

The script is available here:

https://github.com/vittorio88/cisco-scripts/blob/master/fix_nvi.tcl

 

Save it, and copy to the router. Look inside the file for how configure IOS to use the script.

Good Luck!

 

-Vittorio

Review Cisco Networking for a $25 gift card